img img
Practice Exams:
View All
  • Home
  • SPLK-1002 Splunk Core Certified Power User – Splunk Inbuilt & Advanced Visualizations Part 3

SPLK-1002 Splunk Core Certified Power User – Splunk Inbuilt & Advanced Visualizations Part 3

  1. Dashboard Drill down Example

In this module we will be seeing more about the drill down features and how we can enhance the dashboards that we have created as part of our previous modules to narrow down the events which are generated by these IP addresses or the host names or any criteria which we use to to drill down. Or we can say something as narrowing down the cause of the issue.

We’ll see how splunk dashboards can be enhanced so that without writing additional search queries, it can drill down from one dashboard to another dashboard or another search results where it can give much more information about the events. As part of this module, we’ll see what is a drill down feature, that is a narrowing down for the cause, or narrowing down our intended result that we are supposed to find, and how to configure this drill down feature and how to pass a row value or a column value. Now, let us say as part of our previous modules, we have created a couple of dashboards or demo dashboard that is here. We can see there are multiple panels.

These panels will be having rows and columns. Let’s say this row, you need to pass this value to another dashboard, or when you click this, it should drill down. To give you more information about this IP. Let’s say I need to see what all the pages accessed by this IP address or actual raw logs that are generated by this IP address. So as soon as you click this, this will be automatically passed to next dashboards and you’ll be able to narrow down much further.

By the end of this tutorial, you’ll be aware how this drill down feature can be configured and how this feature can add value into your investigation, that is passing the row values and column values. And you can also pass this values as part of the same dashboard. Let’s say as soon as I click here the same dashboard, without entering any details here, this dashboard should reload. We can also do that saying that when I click this icon here or the IP address here, pass this value into the same dashboards and this dashboard should be able to rerun again.

And one more is once I click this or select this IP address, it should reload or pass it into a different dashboard where further analysis is carried upon. So these are some of the concept that we should be able to cover as part of this video. For the purpose of demonstrating this, I have created one more dashboard named as drill down.

This is the dashboard for the demonstration purpose I’ve created. No need to worry, these dashboards will be available when you are accessing the lab so that you’ll be able to see what all this dashboard contains and how we are configured and how we have enabled the drill down. As you can see, this dashboard has two filters. It says get value from the previous dashboard.

We’ll see how we can send the values that are selected by our mouse click on this chart into these dashboards. That is one for a text value. The second one is your drop down. You can send it to both. And the third panel is your complete information of the logs or the raw event consisting the specified source IP. And here it gives you a total number of events generated by the IP that we got from the previous dashboard. So we will see how to configure drill down.

  1. Dashboard Drilldown Configuration

In order to configure drill down, go to edit mode in your dashboard. Once you are inside edit mode, there are two ways to configure drill down either directly by editing xml or using your web console. We’ll see once creating using a web console and we will see what entry has been generated as part of our xml. In order to configure a drill down, choose whichever the panel you would like. To enable the drill down option, click on this three symbol. As you can see, it opens up a drill down editor window. It says when a user on click function you can call it as.

When a user clicks on it. What should be the action at presently by default it is of no action. We’ll click to link to another dashboard. We can also link it to search, we can also link it to dashboard and other reports. And also if you want to redirect them to some custom URL, let’s say Splunk. com or Splunk. com or Google, you can redirect them. So these are some of the options. But for drill down purpose we need to drill down more into our splunk data.

So we’ll be looking at link to another dashboard. That is our drill down dashboard. It lists all the dashboards that are available. For the logged in user I’ll choose drill down. The next option is the most important one. That is advanced field. You need to understand which fields are being passed. That is in my second dashboard I need to understand what is the token for the value that I am passing. So this is the token that I’ll be passing. I’ll just copy that once I have copied, the syntax will be form. It is a form data. So it starts from form first value is equal to and here, this is the interesting part.

So what value it should pass? So as soon as you click the value just under your mouse cursor it should be passed for this. This will be the option that is click dot value. Wherever you click on this panel, the value right under your mouse cursor will be passed into our next drill down dashboard. Choose click dot value and click on save.

Once it has been saved, you can quickly click on this dashboard. As you can see our URL as part of our advanced edit, this has been replaced here which contains our selected IP address. This is the previous dashboard without any drill down values. By default, this is the after drill down. We have passed the IP address automatically. It has said it has filtered its criteria based on events generated by this IP or 307 and it gives us only specific to the IP that we have passed as part of this. So if you click another IP, this drill down dashboard gives you specific results for those IP.

As we have seen, we have successfully passed first dot value. That is the token from our previous dashboard by just clicking on those panels to our next drill down dashboard. This can be continuous. It can go up to ten dashboards until you narrow down your exact event that cost the alert or the criteria that you are looking for. This is just a simple example where one value from one dashboard can be passed into the other dashboard.

We’ll see how we can pass it to our second value of our drill down dashboard. In order to pass it to our second value, we need to know the token that the second value is using. Once we got the token, come back to our main demo dashboard where we will edit the second panel. So in order to enable drill down go to more actions edit Drill down on click choose dashboard. Choose the dashboard on which the destination should be there in our drill down.

The destination is a dashboard name drill down itself. We know the parameter or the token value. As you can see, as soon as you type the token value, it starts creating the URL string. So this is a form element with a token value of second value.

The value we need to pass is click dot value. So whichever the icon we click on, it should pass the value obtained by that variable. Let us click on some of the different values. As you can see, the URL has already been passed with the drill down value. That is 188, 138, 40 dot 166. As you can see, our second value has been completely overwritten from our default value from the drill down feature.

  1. Dashboard Drilldown to Same dashboard

Similarly, you can use this feature on any number of dashboards on any number of time. So this will give you a complete picture of walkthrough for example a use case in the lab where you can create something similar to how many errors Splunk application has generated in the last 24 hours us it will be a single value, something like this. And once you click on the single value it should go back to giving me all the IP addresses of Splunk which is having errors and out of them. If I click one of the instance, it should go to another dashboard where I can see all this event.

So as part of the lab exercise you can give it a try. If you face any issues, just leave a comment in the discussion sections where I’ll be able to assist you. So now we have seen how we can pass these values from one dashboard to another dashboard. Let us see an option where we can pass these values directly into the search query. For that we’ll use our pi chart example click on more actions edit drill down, choose the dashboard you would like to drill down. Now in this case we’ll choose link to search because we have already seen couple of example for the dashboards.

We’ll see one for link for search and it says the search generates automatically using the values from the clicked element. That is whatever the search the pie chart is using, it will automatically use the same search and it will give you the search results. But we will create a custom search. This is our pie chart that is being generated. So we’ll see instead of this my client IP should be click value or I can just mention click dot value which will just pass the values from the chart wherever I click on into the search and it also passes the time.

Whatever the time that my panel is using in my dashboard. We have just added click dot value and some basic searching. We’ll see how it works once we have enabled drill down, we have enabled all these drill downs. One for first element of the dashboard, second one is for second element of the dashboard, third one is directly linking it to search. Let us test our search drill down. As you can see it redirects to search query.

We have just passed IP address upon our selection using just a click my search query automatically updates and the time frame is used as per the dashboard time frame that we have selected. If I click any number of ips, it will automatically reload. These are some of the examples where you can pass it the values from one dashboard to another dashboard. If you want to pass the values on the same dashboard, you can just click on Edit drill down. Instead of choosing the other dashboard, choose the same dashboard and make sure you change the token to the token that has been present as part of your same dashboard.

As you can see, the token name is Source. I am changing it to Source. I’ll click Apply, I’ll click on save. If I click it now, it will open me the demo dashboard. This is the same dashboard. It drill downs into the same dashboard. As you can see my source IP is updated and it gives me information only related to specific source. These are some of the most widely used and as a splunk admin you’ll be creating lot of drill downs and workflows which we’ll be discussing in our next lecture.

Related posts:

  1. 6 Golden Rules to Follow: Ace Your Certification Exam with Ease!
  2. Chief In-Demand Tech Skills 2018
  3. Main Certification Paths Every System Administrator Should Pursue
  4. Make Your First Step in IT with Microsoft Certifications
  5. SY0-501 Section 1.4 – Given a scenario, implement common protocols and services.
  6. Top 10 Paying IT Careers
  7. Top 5 Agile Certifications You Should Pursue in 2020
  8. Top Security Certifications
  9. What New Features Should You Expect in Java 13?
  10. Which Project Management Certification Suits You

Popular posts

Top Vendors On The IT Certification Market

Top 5 Agile Certifications You Should Pursue in 2020

Case Study Hillary’s HillRaisers raising cash for Obama inauguration

SY0-501 Section 1.1- Implement security configuration parameters on network devices and other technologies.

Your Best Career Path With EC-Council Certification

Job Opportunities For MCSE Certification

Reasons To Get Microsoft MCSA Certification

SY0-501 Section 3.2- Summarize various types of attacks.

SY0-501 Section 6.2- Given a scenario, use appropriate cryptographic methods.

What Should You Know About New Amazon AWS Certified Database – Specialty Exam?

Recent Posts

img